RE: Preventing OS Detection

["Jim Laverty" <jim () wangtrading com>]

"its a good idea to learn about fingerprinting techniques and some of thier
solutions"

Paul,

Vincent is right, one thing that may help you in your quest is to read
Ofir's paper from a long time ago on OS fingerprinting
http://www.sys-security.com/html/projects/icmp.html and Fydor's paper
http://www.insecure.org/nmap/nmap-fingerprinting-article.html.  This should
give you a good base to work from.

Check out Fydor and Ofir's Xprobe2 notes and the other Fydor's nmap notes.  

http://www.notlsd.net/xprobe/
http://www.nmap.org
http://www.incidents.org/papers/OSfingerprinting.php
http://www.planb-security.net/wp/ring.html
http://www.linuxjournal.com/article.php?sid=4750 


Windows:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;314053
http://support.microsoft.com/support/kb/articles/Q120/6/42.asp

I hope this helps.

Jim

-----Original Message-----
From: Vincent [mailto:pros-n-cons () bak rr com] 
Sent: Saturday, February 21, 2004 12:57 AM
To: security-basics () securityfocus com
Subject: Re: Preventing OS Detection


On Fri, 20 Feb 2004 17:29:52 -0500
Paul Kurczaba <paul () myipis com> wrote:

> If I go to http://uptime.netcraft.com and enter my website, Netcraft 
> will display my web servers OS, determined from the TCP/IP packet. Is 
> there a way in the windows registry to prevent Netcraft (or anyone 
> else) from identifying my OS? On the page 
> http://www.webhostgear.com/36,1.html in paragraph titled "Netcraft is 
> Watching", it briefly describes that registry changes can be made. Can 
> someone please give me some specific registry changes to prevent 
> others from identifying my web servers OS?
>
> Thanks,
> Paul Kurczaba
Under BSD and Linux there are many effective ways of doing this under
windows I think it would be difficult you can set somethings in the registry
like TTL[1] and turning off webdav[2] but nmap/netcraft have so many other
ways. Put a linux/bsd box in front of the webserver, checkpoint also works
thanks to the fw-1 INSPECT language where you can inspect packets destined
for your server [3]. No 
matter what you choose to do its a good idea to learn about fingerprinting
techniques and some of thier solutions.

http://voodoo.somoslopeor.com/papers/nmap.html A practical approach for
defeating Nmap OS-Fingerprinting
http://www.gsp.com/cgi-bin/man.cgi?section=4&topic=blackhole"; blackhole(4) -
a sysctl(8) MIB for manipulating TCP
http://net-security.org/article.php?id=406 Help Net Security OS-FngrPrint
article in PDF http://www.citi.umich.edu/u/provos/honeyd/ Honeyd - Network
Rhapsody for You http://ojnk.sourceforge.net/stuff/iplog.readme
http://ojnk.sourceforge.net/stuff/iplog.readme
http://www.insecure.org/nmap/nmap-fingerprinting-article.txt
nmap-fingerprinting-article http://ippersonality.sourceforge.net/ IP
Personality - Home
http://www.freebsd.org/doc/en_US.ISO8859-1/articles/dialup-firewall/kernel.h
tml Kernel Options http://www.stearns.org/p0f/ p0f file listing
http://www.phoneboy.com/fom-serve/cache/82.html PhoneBoy's FireWall-1 FAQs:
Blocking queSO packets http://www.s0ftpj.org/en/site.html s0ftpr0ject 2000
Fingerprint Fucker http://www.innu.org/~sean/ Security Technologies
http://sourceforge.net/projects/sing SourceForge.net: Project Info - SING
http://www.sys-security.com/html/projects/X.html Sys-Security.com - Because
Security is not Trivial
http://www.usenix.org/publications/library/proceedings/sec2000/smart.html
USENIX Technical Program - Abstract - Security Symposium - 2000

[1].. HKLM\System\CurrentControlSet\Services\VxD\MSTCP
[2].. HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters
[3].. http://oldfaq.phoneboy.com/fom-serve/cache/82.html


---------------------------------------------------------------------------
----------------------------------------------------------------------------